pinkeen/streams-websockets.Caddyfile

## streams-websockets.Caddyfile
###
# Vhost that terminates HTTPS and also proxies raw TLS connection
# for certain endpoints.
###
https://a-site.example.com {
  # Get a certificate and decrypt the traffic as usual.
  tls auto

  handle /naked {
    # Proxy the decrypted traffic to an HTTP backend effectively terminating the HTTPS
    reverse_proxy http://unsecure-upstream.a-site.example.com
  }

  handle {
    # Proxy the encrypted traffic verbatim to a backend that will handle HTTPS
    reverse_proxy / https://secure-upstream.a-site.example.com {
      transport stream
    }
  }
}

###
# HTTPS-only vhost proxying TLS traffic as-is without decryption.
#
# Note: Host is matched using SNI during initial TLS handshake.
###
https://b-site.example.com {
  # Disables decryption - no certificate is needed or used.
  tls stream

  reverse_proxy upstream.b-site.example.com {
     # Forward the raw connection data stream.
     transport stream
  }
}

###
# Dual http/https vhost that:
# - Proxies encrypted TLS connections for HTTPS requests.
# - Proxies modified unencrypted HTTP requests for /app endpoint.
###
c-site.example.com {
  tls stream

  @encryptedstream protocol https

  reverse_proxy @encryptedstream {
     to https://upstream.c-site.example.com
     transport stream
  }

  ###
  # The further directives will be matched only for HTTP requests
  # as HTTPS traffic stays encrypted.
  ###

  # We can match unencrypted HTTP requests.
  handle /hello {
    respond "Hello World!"
  }

  handle /app/* {
    ###
    # Since HTTP is unencrypted we can use it with HTTP transport reverse proxy
    # and modify the request/response like it's normally possible.
    ###
    uri strip_prefix /app
    reverse_proxy https://app-service.example.com {
        header_up X-Caddy-Via "{system.hostname}"
        header_up X-Caddy-Timestamp "{time.now}"
    }
  }

  ###
  # If nothing before matched - proxy the *unencrypted HTTP* connection data stream as-is.
  #
  # Note: This is almost the same as a "transparent" proxy but purer since the whole
  # communication is unadulterated. This should also give better performance.
  ###
  handle {
    reverse_proxy http://upstream.c-site.example.com {
      transport stream
    }
  }
}

###
# Vhost that tunnels other protocols over HTTP.
# - Proxies SSH verbatim over connection upgraded to custom protocol directly to an SSH port.
# - Proxies MySQL over websocket connection to a MySQL database listener socket.
###
ssh.example.com {
  tls auto

  route /ssh {
    ###
    # Attempt to upgrade the connection to custom "ssh" protocol.
    #
    # The handshake is handled automatically:
    #  - If the upgrade succeeds - the request is a valid upgrade
    #    and accepts the "ssh" protocol or does not specify any protocols.
    #     1) Immediately send a "101 Switching Protocols" response with headers:
    #         Connection: upgrade
    #         Upgrade: ssh
    #     2) Clear the current request as if we had only an opaque stream.
    #     3) Proceed to further handlers.
    #  - If the upgrade fails - either the request is not an upgrade or
    #    specifies a list of supported protocols which does not match "ssh":
    #     1) Immediately send a "426 Upgrade Required" response.
    #     2) Close the handler / middleware chain.
    #
    # Note: If you need to provide custom headers based on the upgrade result
    #       you need to set them via matchers checking the request validity.
    ###
    upgrade ssh

    ###
    # Proxy the raw connection data stream to the local SSH port.
    #
    # Note: The request headers have been already swallowed as they were read in order for the
    # the upgrade response to be sent. The upstream will receive only the communication that
    # takes place after the initial connection upgrade handshake.
    ###
    reverse_proxy localhost:22 {
        transport stream
    }
  }

  route /mysql {
      ###
      # Works the same as the previous "ssh" upgrade, with the exception
      # that websocket connections have extra logic:
      #   If client request contains the `Sec-WebSocket-Key` header the
      #   successfull response will include "Sec-WebSocket-Accept" header
      #   with automatically calculated value.
      ###
      upgrade {
        # The verbose notation is just and example and can be abbreviated to `upgrade websocket`
        protocol websocket
      }

      ###
      # Tunnel the mysql connection data into local mysql unix socket after
      # unwrapping the websocket protocol.
      ###
      reverse_proxy unix//var/run/mysql.sock {
         transport stream {
           ###
           # Since websocket connection uses a special data transmission protocol
           # we need to configure a stream translator middleware which will convert
           # websocket frames into raw data and back.
           ###
           translator websocket
         }
      }
  }

  ###
  # Just return something for unmatched requests.
  ###
  route * {
    respond "Nothing to see here, move along!" 404
  }
}
	###
	# Vhost that terminates HTTPS and also proxies raw TLS connection
	# for certain endpoints.
	###
	https://a-site.example.com {
	# Get a certificate and decrypt the traffic as usual.
	tls auto

	handle /naked {
	# Proxy the decrypted traffic to an HTTP backend effectively terminating the HTTPS
	reverse_proxy http://unsecure-upstream.a-site.example.com
	}

	handle {
	# Proxy the encrypted traffic verbatim to a backend that will handle HTTPS
	reverse_proxy / https://secure-upstream.a-site.example.com {
	transport stream
	}
	}
	}

	###
	# HTTPS-only vhost proxying TLS traffic as-is without decryption.
	#
	# Note: Host is matched using SNI during initial TLS handshake.
	###
	https://b-site.example.com {
	# Disables decryption - no certificate is needed or used.
	tls stream

	reverse_proxy upstream.b-site.example.com {
	# Forward the raw connection data stream.
	transport stream
	}
	}

	###
	# Dual http/https vhost that:
	# - Proxies encrypted TLS connections for HTTPS requests.
	# - Proxies modified unencrypted HTTP requests for /app endpoint.
	###
	c-site.example.com {
	tls stream

	@encryptedstream protocol https

	reverse_proxy @encryptedstream {
	to https://upstream.c-site.example.com
	transport stream
	}

	###
	# The further directives will be matched only for HTTP requests
	# as HTTPS traffic stays encrypted.
	###

	# We can match unencrypted HTTP requests.
	handle /hello {
	respond "Hello World!"
	}

	handle /app/* {
	###
	# Since HTTP is unencrypted we can use it with HTTP transport reverse proxy
	# and modify the request/response like it's normally possible.
	###
	uri strip_prefix /app
	reverse_proxy https://app-service.example.com {
	header_up X-Caddy-Via "{system.hostname}"
	header_up X-Caddy-Timestamp "{time.now}"
	}
	}

	###
	# If nothing before matched - proxy the unencrypted HTTP connection data stream as-is.
	#
	# Note: This is almost the same as a "transparent" proxy but purer since the whole
	# communication is unadulterated. This should also give better performance.
	###
	handle {
	reverse_proxy http://upstream.c-site.example.com {
	transport stream
	}
	}
	}

	###
	# Vhost that tunnels other protocols over HTTP.
	# - Proxies SSH verbatim over connection upgraded to custom protocol directly to an SSH port.
	# - Proxies MySQL over websocket connection to a MySQL database listener socket.
	###
	ssh.example.com {
	tls auto

	route /ssh {
	###
	# Attempt to upgrade the connection to custom "ssh" protocol.
	#
	# The handshake is handled automatically:
	# - If the upgrade succeeds - the request is a valid upgrade
	# and accepts the "ssh" protocol or does not specify any protocols.
	# 1) Immediately send a "101 Switching Protocols" response with headers:
	# Connection: upgrade
	# Upgrade: ssh
	# 2) Clear the current request as if we had only an opaque stream.
	# 3) Proceed to further handlers.
	# - If the upgrade fails - either the request is not an upgrade or
	# specifies a list of supported protocols which does not match "ssh":
	# 1) Immediately send a "426 Upgrade Required" response.
	# 2) Close the handler / middleware chain.
	#
	# Note: If you need to provide custom headers based on the upgrade result
	# you need to set them via matchers checking the request validity.
	###
	upgrade ssh

	###
	# Proxy the raw connection data stream to the local SSH port.
	#
	# Note: The request headers have been already swallowed as they were read in order for the
	# the upgrade response to be sent. The upstream will receive only the communication that
	# takes place after the initial connection upgrade handshake.
	###
	reverse_proxy localhost:22 {
	transport stream
	}
	}

	route /mysql {
	###
	# Works the same as the previous "ssh" upgrade, with the exception
	# that websocket connections have extra logic:
	# If client request contains the `Sec-WebSocket-Key` header the
	# successfull response will include "Sec-WebSocket-Accept" header
	# with automatically calculated value.
	###
	upgrade {
	# The verbose notation is just and example and can be abbreviated to `upgrade websocket`
	protocol websocket
	}

	###
	# Tunnel the mysql connection data into local mysql unix socket after
	# unwrapping the websocket protocol.
	###
	reverse_proxy unix//var/run/mysql.sock {
	transport stream {
	###
	# Since websocket connection uses a special data transmission protocol
	# we need to configure a stream translator middleware which will convert
	# websocket frames into raw data and back.
	###
	translator websocket
	}
	}
	}

	###
	# Just return something for unmatched requests.
	###
	route * {
	respond "Nothing to see here, move along!" 404
	}
	}